pcapfix

Repair a PCAP/PCapNG file (Note: For PCAP files, only the first 262144 bytes of each packet are scanned)

$ pcapfix [path/to/file.pcapng]

$ pcapfix --deep-scan [path/to/file.pcap]

$ pcapfix --outfile [path/to/repaired.pcap] [path/to/file.pcap]

$ pcapfix --pcapng [path/to/file.pcapng]

$ pcapfix --verbose [path/to/file.pcap]

pcapfix [options] input_file [output_file]

input_file
    The path to the corrupted or truncated pcap file to be repaired.

output_file
    The path where the repaired pcap file will be saved. If omitted, a default name (e.g., 'input_file.fixed') or stdout will be used depending on other options.

-o output_file
    Explicitly specifies the output file path. Identical to providing output_file as a positional argument.

-d
    Enables debug mode, providing more verbose output for troubleshooting.

-a
    Forces the tool to process and include all packets it can find, even those that might appear malformed or inconsistent.

-n
    Disables timestamp correction. By default, pcapfix attempts to correct and normalize packet timestamps.

-t
    Explicitly enables timestamp correction (this is the default behavior).

-v
    Enables verbose output, showing more details about the repair process.

-y
    Answers 'yes' to all prompts, allowing non-interactive operation (e.g., for scripting).

-w
    Prevents overwriting an existing output file. If the output file already exists, the command will exit with an error.

-s snaplen
    Sets the snapshot length (snaplen) for the output pcap file. This limits the maximum number of bytes captured per packet.

-p
    Prints the repaired pcap data to standard output (stdout) instead of writing to a file. Useful for piping to other tools.

-l
    Lists supported link-layer types. This can help in understanding the PCAP file format.

-h
    Displays the help message and exits.

-V
    Displays the version information and exits.

pcapfix is a command-line utility designed to repair damaged or incomplete pcap (packet capture) files. These files often become corrupted due to system crashes, power failures, or unexpected termination of capture processes. The tool attempts to salvage readable network packets from such files by scanning for valid packet headers, re-indexing, and correcting common issues like incorrect timestamps or lengths. It analyzes the file structure, identifies valid packet boundaries, and reconstructs a new, more usable pcap file. While it cannot recover data that is fundamentally missing or severely overwritten, pcapfix is highly effective at recovering partial or truncated captures, making it an invaluable tool for network forensics, debugging, and post-mortem analysis where raw packet data is crucial.

pcapfix performs a 'best-effort' recovery. It cannot magically restore data that was never written or is severely corrupted beyond recognition. In some cases, especially with very fragmented or extensively damaged files, the recovered data might still contain minor inconsistencies or missing packets. Always verify the integrity of the output file with tools like Wireshark or tcpdump after repair.

tcpdump(1), wireshark(1), editcap(1), mergecap(1)